13.4. Client-centric OAuth 2.0/OIDC

OAuth 2.0 and OpenID Connect authorization Code Grant

For the OAuth 2.0 Authorization Code Grant (see RFC 6749 Section 4.1), Airlock IAM can take both the role of the authorization server and the role of the client:

  • Airlock IAM as Client-centric OAuth 2.0 Authorization Server
  • Internal and external target applications can fetch information about the current user from Airlock IAM.

    The following OAuth 2.0 endpoints make this possible:

    • The OAuth 2.0 Authorization Endpoint allows users to authenticate using any of the authentication methods supported by Airlock IAM. Authenticated users obtain an OAuth 2.0 authorization code.
    • The OAuth 2.0 Authorization Endpoint supports PKCE ("Pixy", https://tools.ietf.org/html/rfc7636)
    • The OAuth 2.0 Token Endpoint allows to obtain access and refresh tokens using an authorization code.
    • The OAuth 2.0 Resource Endpoint allows to obtain information about the user using an OAuth 2.0 access token.
  • Airlock IAM as OAuth 2.0 Client
  • It is possible to authenticate users by interacting with third-party OAuth 2.0 Authorization Servers. This allows single sign-on (SSO) by referring to a third-party Authorization Server.

Airlock IAM also supports the OpenID Connect Authorization Code Grant in both the role of the authorization server and the client, as described above. The OpenID Connect UserInfo Endpoint is also supported.

The detailed documentation can be found in 13.4.1. OAuth 2.0 / OpenID Connect Authorization Code Grant.

Deprecation warning

It is recommended that customers use the AS-centric implementation of the OAuth 2.0 and OIDC features. The client-centric implementation has been deprecated (see deprecation announcement in the release information section for details).

The client-centric implementation will NOT be available in the Loginapp REST UI.

Supported features in the Loginapp REST UI:

  • OAuth 2.0 Client features: available from IAM 7.5
  • OAuth 2.0 Authorization Server - AS-centric: available from IAM 7.6

See also 17.5. Migrating from the JSP-Loginapp to the Loginapp REST UI.

OAuth 2.0 Implicit Grant

For the OAuth 2.0 Implicit Grant (see OAuth 2.0 RFC), Airlock IAM can take the role of the Authorization Server. In the implicit grant setting, clients are typically implemented in the user's browser using a scripting language such as JavaScript. The RFC calls these clients 'public'.

The detailed documentation can be found in 13.4.2. OAuth 2.0 Implicit Grant (Client-centric).

OAuth 2.0 and OpenID Connect token introspection

OAuth 2.0 Token Introspection (RFC 7662) support is available in the client-centric authorization server. However, not all of the optional attributes nor any additional RFCs are supported.

The following response attributes are currently present in the response:

  • 1.
    active
  • 2.
    Only for valid tokens:
    • 1.
      scope
    • 2.
      client_id
    • 3.
      exp (for tokens that do expire)
    • 4.
      iat
    • 5.
      sub

The detailed documentation can be found in 13.4.3. OAuth 2.0 Token Introspection Endpoint (client-centric).

Further information and links